Open mail relays used to deliver "Hybris Worm"

Date: Friday, March 02, 2001

Overview

It is well documented that intruders have used open mail relays for years
to deliver unsolicited email. Recently, the CERT/CC has received reports of
intruders using open mail relays to propagate malicious code such as the
"Hybris Worm." This represents a threat because intruders are increasingly
using open mail relays to increase the number of messages propagated
containing malicious code by leveraging the increased bandwidth and processing
power of hosts connected to the Internet.

Description

The Hybris Worm is a piece of malicious code that propagates through email
messages and newsgroup postings, specifically targeting Windows machines. To
become infected a user must execute an attachment received in email or a
posting; no special mail or news reader program is required to become
infected.

This worm infects the Windows networking library WSOCK32.DLL file, thereby
subverting "normal" email behavior. Whenever a user sends an email on an
infected machine, the malicious code sends out another email to the same
recipient with a copy of itself as an attachment. Based on reports the
CERT/CC has received, Hybris only affects Win32 systems and does not contain a
destructive payload. However, the malicious code appears to contain code
modules that can be upgraded from the web to give it a destructive
payload. There are several variants, although all variants have the same
behavior with very minor differences.

Versions of Hybris reported to the CERT/CC have these characteristics:

While these characteristics are the most common in reports we have
received, it is possible for any mail message to contain Hybris as a
file attachment.

Intruders are using open mail relays to propagate
Hybris. An "open" mail relay is a mail transport agent (MTA) that is
configured to forward mail between senders and recipients who are not
a part of the MTA's operational domain."Open mail relays" are
sometimes called "open mail servers," "mail relays," "third-party mail
servers," or similar names. Intruders who wish to obscure their
identity often send mail through an open mail relay. Using an open
mail relay from another site is attractive to the intruder because
accountability is far less enforceable. For more information on open
mail relays, please see

Impact

Sites with open mail relays may be used to send mail to arbitrary
third parties with possible malicious payloads such as Hybris. The use of the
mail server's cycles and bandwidth can degrade the quality of service.

Solution

It may be possible for an organization to be an open mail relay
without knowing it. Generally speaking, there are few
circumstances under which a network should have an open mail relay. We
encourage sites to review their mail server configuration and
evaluate their exposure to this type of abuse.

As good security practice, users should always exercise caution when
receiving email with attachments. Disable auto-opening or previewing of email
attachments in your mail program. Do not open attachments from an untrusted
origins or those that appear suspicious in any way. Finally cryptographic
checksums can be used to validate the integrity of the file.